Magazine

Epidemic

September 07, 2003

David Farber, a professor of computer science at Carnegie Mellon University, was sitting down to lunch with his wife at Taquer?a Morole?n, a Mexican restaurant in Kennett Square, Pa., on Aug. 21, when his cell phone started vibrating. An e-mail had landed in his cell-phone inbox. Yet as soon as he had cleared the e-mail, the phone vibrated again. And again. And again. He could hardly get a bite in edgewise. Farber was yet another victim of a now-famous computer virus, called SoBig, that turned computers worldwide into drones pumping out millions of e-mails bearing malicious code. It was a digital snowball effect. Farber's conclusion: "We're losing the battle against computer viruses."

Indeed, to those most affected, it seems as if this summer's onslaught of viruses has reached epidemic proportions. Since early August, the world's computer systems have been blitzed by hundreds of viruses -- some of them real doozies. On Aug. 11, the Blaster virus and related bugs struck, hammering dozens of corporations, including Air Canada's reservation and airport check-in systems. Ten days later, the SoBig virus took over, causing delays in freight traffic at rail giant CSX Corp. and shutting down more than 3,000 computers belonging to the city of Fort Worth. Worldwide, 15% of large companies and 30% of small companies were affected by SoBig, according to virus software tracker TruSecure Corp. Market researcher Computer Economics Inc. estimates damage will total $2 billion -- one of the costliest viruses ever. All told, damage from viruses may amount to more than $13 billion this year.

And it could get worse. Six versions of SoBig have been launched since January, each more effective than the last. Security experts are now waiting nervously for the next one, expected on Sept. 11. Because the author of the SoBig virus has turned thousands of computers into virtual slaves standing ready to do his bidding as e-mailers, experts wonder what he has in mind. Is he planning on linking up with spammers and spreading their ads around ever more quickly? Or does he have something more nefarious planned -- perhaps a mass delivery system for an even more pernicious virus?

Even as the damage reports pour in, the Summer of SoBig provides a jangling wake-up call to businesses, consumers, and the software industry: Get serious about cyber security. Usually, after each huge virus attack, people promise themselves they'll do a better job of protecting their computers. Then they gradually forget about it. That won't do anymore. "People buy anti-virus programs and firewalls and think that's the solution, and they're secure. But they're not," says Brian B. King, a Net security analyst at CERT Coordination Center in Pittsburgh, which tracks viruses for the federal government. "There's always a way malicious code can get in."

And that means the very vitality of the information economy could be at risk. Combine viruses with the scourge of spam, and you have two heavy anchors dragging on an already sluggish economic ship. Indeed, the virus epidemic may undermine tech's productivity boost. A new focus on defense could even discourage corporations from making investments in the latest computers and software. "Every year, we spend more money on security, on monitoring," says June Drewry, chief information officer at Chicago insurance company AON Corp. "That's money you could be investing in other ways."

At the same time, technology experts are warning of the dangers of relying so heavily on just one outfit -- Microsoft Corp. -- to provide the backbone of the computing and Internet world. With a 95% market share, Microsoft's Windows desktop operating system is a fat, juicy target for the bad guys. The company got so many complaints about SoBig that senior executives, including Windows boss Brian Valentine, were pressed into service manning customer support lines. Some critics even say that Microsoft, as a virtually essential service, has an obligation to ensure that its software is sufficiently hostile to hackers. And while Microsoft has launched a safe-software initiative, tech experts are calling on the company to make more fundamental changes in the way it designs programs. "Microsoft has to write better software," says Paul Saffo, director of think tank Institute for the Future in Menlo Park, Calif. "It's outrageous that a company this profitable does such a lousy job."

All of this raises a troubling question: Will people start to question the effectiveness of the tech gear upon which they've become so dependent? Already, e-mail systems and networks have proved unreliable. Data aren't there at your fingertips when you need them. The e-mail order you're expecting is missing -- while your inbox is overloaded with hundreds of junk ads. In the future, tech systems could become less useful, too. If companies and individuals resort to blocking e-mail from addresses they don't know, it will short-circuit one of the nearly magical attributes of the Web: Its ability to facilitate instant connections between strangers.

Until now, viruses have been little more than a nuisance. Most of the 80 or so brand-new viruses created each month have little effect, rarely doing more than slowing traffic, clogging e-mail inboxes, and hobbling a smattering of businesses.

But viruses have become far more dangerous of late. Blame that on the ubiquity of the Internet: It has become a veritable virus superhighway. A virus launched one morning can infect computers all over the world by the end of the day. The Slammer virus, which hit in January of this year, spread ultrafast, infecting nearly 100,000 computers in the first 10 minutes alone.

Virus writers are also getting a whole lot smarter -- and nastier. Take the Nimda virus, which struck shortly after the September 11, 2001, terror attacks. Known as a "blended threat," it had five different ways of replicating and of attacking computers and networks. The culture of hacking has changed, too. While the previous generation was often renegade teenagers who broke into networks to show off to their friends, security experts say that fast-moving, organized international teams of hackers are now posing a much larger threat.

What really worries security experts is that someone out there -- perhaps even terrorists -- might be able to wipe out the contents of tens of thousands of computer hard drives or shut down the power grid. "I expect to see some viruses come along that will be seriously disruptive," says Hal R. Varian, dean of the School of Information Management & Systems at the University of California at Berkeley.

Even if such a killer virus never strikes, the combination of viruses with spam e-mail have turned everyday computing into an ordeal for consumers. When people check their e-mail, they're greeted with a seemingly endless string of advertisements for penis enlargement, Viagra, cheap mortgages, or sexy girls. And that's if e-mail is working. Unpacking a new computer used to be exciting. Now it can be fraught with worry. Just ask Linda Beebe, an American retiree who on Aug. 13 had a new PC delivered to her Pyrenees vacation house in Maul?on-Barousse, France. When Beebe connected to the Internet, she immediately caught the Blaster virus, which shut down her computer. It took three full days to get it working again. "Now I'm so angry I can't even think straight," says Beebe.

Of course, no one is arguing that viruses and spam will stop people from using their computers. "We rely on our e-mail, on getting on the Internet," says Beebe. And, for businesses, it's absolutely vital. There's no turning back the digital clock. But these twin scourges will turn computing into something akin to driving a car: Sometimes you're tooling along the open road. Other times you're stuck -- cursing -- in city traffic. And unlucky drivers have head-on collisions.

The computing world can't count on law enforcement to put virus writers out of commission. Tracking down these criminals is incredibly difficult. Since they're usually not interested in financial gain, there's no money trail for sleuths to follow. Virus writers have proved skillful at covering their tracks. So far, only 10 have been captured and convicted -- typically because they bragged about their exploits.

And when it comes to the most complex viruses -- the ones like Nimda that keep mutating to stay ahead of the cleanup crews -- there are probably a dozen people in the world expert enough to figure them out.

It's a few dozen expert hackers that law enforcers worry about most. They're brilliant at exploiting vulnerabilities in software, and they work furiously once they spot them. For instance, after Microsoft identified a major flaw in its latest Windows operating system versions and posted a patch on its Web site on July 16, it took less than a month for virus writers to come up with Blaster and a handful of other viruses that picked on the flaw. And since many corporations and consumers hadn't gotten around to loading the patch yet, they got hammered. It could have been worse. Microsoft found the problem only because it was notified about it in June by four Polish computer scientists, members of the Last Stage of Delirium Research Group, which identifies software vulnerabilities.

Security experts and corporate tech purchasers say the glitches exist because Microsoft and other software companies have placed a high priority on getting products out quickly and loading them with features, rather than attending to security. They're calling on the industry -- and Microsoft in particular -- to make software more secure. Ralph Szygenda, chief information officer at General Motors Corp., got fed up when his computers were hit by the Nimda virus in late 2001. He called Microsoft executives. "I told them I'm going to move away from Windows," Szygenda recalls. "They started talking about security all of a sudden."

Last year, amid much fanfare, Microsoft launched its Trustworthy Computing initiative, a campaign it claimed would put security at the core of its software design. As part of the campaign, more than 8,500 Microsoft engineers stopped developing the upcoming Windows Server 2003 and conducted a security analysis of millions of lines of freshly written code. Microsoft ultimately spent $200 million on beefing up security in Windows Server 2003 alone. "It's a fundamental change in the way we write software," says Mike Nash, vice-president for security business. "If there was some way we could spend more money or throw more people on it, believe me, we'd do it." Yet, embarrassingly, Windows Server 2003, released in April, was one of the operating systems exploited by Blaster. The virus carried a snide message for Microsoft Chairman William H. Gates III: "Billy Gates why do you make this possible? Stop making money and fix your software!"

Unfortunately, glitchy software is not so easy to fix. Security experts say the company and the rest of the software industry need to undertake a much more fundamental shift in the way they write programs if they hope to make progress against virus writers. Aviel Rubin, a professor of computer science at Johns Hopkins University, says a lot of the features in Windows are designed to make PCs easy to use and to integrate one program with another -- yet it's those very technologies that virus writers exploit. "First, make programs secure. Everything else comes after that," urges Rubin. "If you don't do this, computers will quickly become unusable."

Some Microsoft critics believe that the only way for the software giant fundamentally to mend its ways is for it to become liable for the damage its customers suffer as a result of viruses. They propose that the software industry adopt minimal standards for software quality and security. "We need liabilities in software, just like any other consumer product," says Bruce Schneier, the chief technology officer for Counterpane Internet Security Inc., a security software company. "When that happens, this will be fixed. Now, there's no business incentive to fix the problem."

Others suggest that corporations and consumers switch from Windows to avoid viruses. While Apple's Macintosh computer and the Linux operating system aren't inherently more secure, they're not targets for virus writers the way Windows is. Linux has gained traction as a corporate server computer and industry analysts say Linux could become a more attractive alternative on desktop computers if the Windows virus scourge isn't brought under control. The Indian Institute of Technology in Bombay, for instance, is now switching its workstations from Windows to Linux, partly because of security concerns.

For now, much of the burden for combating viruses lies with computer users themselves. Most large corporations already have basic anti-virus software. But security experts maintain that they need to come up with better procedures for frequently updating their computers with the latest security patches to programs and inoculations against new viruses. Verizon Communications (VZ) Inc. has gotten serious about security in the past couple of years and already has a system for automatically updating its 200,000 computers as soon as patches are available. As a result, it escaped unscathed from this summer's attacks. "As far as business impact, it was a nonevent for us," says Chief Information Officer Shaygan Kheradpir.

Many corporations are sizing up a new generation of security software that approaches threats holistically -- with all the defenses plugged into one another. An integrated collection of virus-scanning, firewall, and intrusion-detection software is designed to defeat viruses, no matter how they try to enter the company. A new kind of scanning software checks out not just the labels on packets of information that are zooming along the networks but also makes sure the data inside are really what the labels say they are. And a security dashboard keeps tabs on everything that's happening on a company's network -- looking for evidence that something many be awry. Their purchases are expected to boost total sales of security software by 10%, to $3.8 billion, this year, while the overall software industry remains flat, according to researcher Gartner Inc.

Small businesses and home users need to be just as vigilant. Basic anti-virus software now ships on most PCs, and network routers used for Internet access are equipped with firewall software that scans for viruses. But analysts say they fear consumers and small businesses aren't taking advantage of the software they have. It's no wonder. Unlike corporations, these computer users don't have their own info-tech departments. Fortunately, several companies offer services with annual fees of $25 to $35 that automatically alert people when a new virus antidote is ready to be downloaded into their computer.

The key is slavishly downloading new software the moment it's available. Jonathan Hamilton learned that lesson the hard way. The finance newsletter writer in Norcross, Ga., paid no attention to the Windows Update feature in his home office computer. When Blaster struck, his 16-year-old son, Daniel, dutifully downloaded a patch that blocked the virus. Dad did not. The result: His computer was knocked out of commission for five days, and he barely got his newsletter out on time. "Live and learn," Hamilton says.

But even constant vigilance may not be enough. As with a war on terror, it's not necessarily what you anticipate that can hurt you most. Tomasz Ostwald of the Last Stage of Delirium Research Group, which spotted the big glitch in Windows, says he's most worried about hackers coming up with new forms of viruses. The worst threat, he said, would be worms that wend their way into companies without being detected, hide, and wait -- then perform some act of destruction or thievery. "The most successful attack may be the undetected one," says Ostwald.

That's a chilling thought. In the cyberworld, with brainiac hackers tapping away on their keyboards late into the night, any technical feat is possible. And no threat is safely ignored. By Steve Hamm in New York, with Jay Greene in Redmond, Wash., Cliff Edwards and Jim Kerstetter in San Mateo, Calif., and bureau reports